Domain Security Audit API | SSL Expiry, DMARC, Domain Expiry

Run a complete, remediation-first audit across your public web assets to monitor SSL expiry, domain ownership renewals, DMARC/SPF/DKIM posture, and critical OWASP security headers. Built specifically for IT operations, security analysts, and compliance teams, this tool replaces the need to juggle several narrow utilities by delivering a single, unified trust score for every URL.

When managing an extensive enterprise portfolio, tracking infrastructure health manually or via fragmented tools leads to missed renewals, degraded email deliverability, and compliance drift. This Domain Trust Monitor operates as a recurring webhook alert system or a scheduled compliance check to safeguard your organization's digital footprint. It actively extracts precise technical details—such as exact days until certificate expiry, missing SPF records, permissive DMARC policies, and absent HSTS headers—so platform engineers can act immediately on the data.

Instead of just raw data dumps, the output is structured for executive visibility and direct engineering action. You receive a high-level summary of your portfolio's overall health alongside granular, per-domain remediation rows. Schedule daily or weekly runs to monitor vendor domains, track internal asset compliance, ensure your email security records remain intact, and catch expiring SSL certificates long before they cause user-facing downtime, search ranking penalties, or browser warnings.

Store Quickstart

• Start with store-input.example.json for the smallest useful run: 2 domains in, one executive summary + remediation list out in the Apify OUTPUT record (or local output/result.json), plus per-domain dataset rows.
• Check sample-output.example.json for the current starter proof from that same quickstart surface.
• Check live-proof.example.json for the latest live canary + contract proof on the public actor surface.
• Then use store-input.templates.json as the core Wave 1 ladder:
  • Starter Quickstart (2 Domains -> Summary + Remediation List) — fastest proof of value with no webhook or reputation key
  • Recurring Portfolio Watch (Dataset Baseline) — broaden the same audit into a scheduled portfolio baseline
  • Webhook Remediation Queue (Routed Alerts) — send the same executive summary + alert queue to your own endpoint once dataset review is stable
  • Renewal Watchlist (Recurring SSL + Domain Expiry) / Security Audit + Web Risk (Advanced Add-on) — actor-specific expansion lanes when renewal focus or reputation enrichment matters

Key Features

• 🔐 Remediation-first summary — Return one executive summary plus prioritized alert rows for the domains that need action first
• 📅 Expiry watch — Track SSL certificate windows and domain-expiry risk in the same workflow
• 📬 Email-auth posture — Check DMARC, SPF, and optional DKIM selectors without separate tooling
• 🧱 Critical header checks — Flag missing HSTS, CSP, X-Frame-Options, and related trust signals
• 📡 Dataset or webhook delivery — Push the same remediation payload into ticketing, Slack, or internal queues

Use Cases

Who	Why
IT / infrastructure teams	Catch renewal windows and broken SSL posture before public outages or trust issues escalate
Security teams	Surface weak DMARC/SPF/DKIM posture and missing headers in one recurring audit
Compliance / risk teams	Keep lightweight evidence of public trust controls and remediation status by domain
Platform / RevOps teams	Route actionable alert rows into Slack, ticket queues, or vendor reviews

Input

Field	Type	Default	Description
domains	array	prefilled	Free / starter quickstart: begin with 2-3 domains for a fast first success. Paid expansion: grow into larger recurring p
port	integer	443	Port used for SSL/TLS expiry and trust checks across the portfolio.
expiryWarningDays	integer	30	Flag certificates or domains that expire within this many days.
followRedirects	boolean	true	Follow redirects before scoring the final site's security headers.
checkDkim	boolean	true	Probe common selectors so the first run catches missing DKIM alongside SPF and DMARC.
dkimSelectors	array	—	Optional DKIM selectors to check instead of the built-in defaults.
delivery	string	"dataset"	Free / starter path: dataset keeps the first run low-friction and still writes the full summary to OUTPUT. Paid expansio
webhookUrl	string	—	Advanced delivery only: required when delivery is webhook. The payload includes the executive summary, flattened remedia

Input Example

{
  "domains": [
    "example.com",
    "github.com"
  ],
  "expiryWarningDays": 30,
  "delivery": "dataset",
  "snapshotKey": "domain-security-audit-quickstart",
  "concurrency": 2
}

Output

Field	Type	Description
meta	object
alerts	array
results	array
alerts[].domain	string
alerts[].severity	string
alerts[].component	string
alerts[].type	string
alerts[].message	string
alerts[].policy	null

Output Example

{
  "meta": {
    "executiveSummary": {
      "overallStatus": "attention_needed",
      "brief": "1 of 2 domains needs action. Highest-risk issue: 5 alert(s): DMARC record is missing.",
      "recommendedCadence": "daily",
      "topDomains": [
        {
          "domain": "example.com",
          "severity": "high",
          "trustScore": 41,
          "brief": "5 alert(s): DMARC record is missing."
        }
      ]
    },
    "runProfile": {
      "tier": "starter",
      "label": "Starter first-success path"
    },
    "usageAdvisories": {
      "summary": "1 usage/recovery advisory signal active for this run.",
      "signals": [
        {
          "id": "starter_portfolio_boundary",
          "limit": "3 domains in the starter quickstart"
        }
      ]
    },
    "upgradeSuggestions": [
      {
        "type": "schedule",
        "templateId": "portfolio_watch",
        "cadence": "daily",
        "title": "Promote this baseline to a recurring portfolio watch"
      }
    ],
    "nextWorkflow": {
      "type": "same_actor_template",
      "id": "action_needed_webhook",
      "title": "Next best step: Webhook Remediation Queue"
    }
  },
  "alerts": [
    {
      "domain": "example.com",
      "severity": "high",
      "component": "dns",
      "type": "dmarc_missing_or_weak",
      "message": "DMARC record is missing."
    },
    {
      "domain": "example.com",
      "severity": "high",
      "component": "rdap",
      "type": "domain_expiring_soon",
      "message": "Domain expires in 28 days"
    }
  ],
  "results": [
    {
      "domain": "example.com",
      "severity": "high",
      "recommendedActions": [
        "Publish an enforced DMARC policy (quarantine or reject) with aggregate reporting.",
        "Renew the domain registration before the expiry window closes.",
        "Add the missing critical security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options)."
      ]
    }
  ]
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~domain-trust-monitor/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": [ "example.com", "github.com" ], "expiryWarningDays": 30, "delivery": "dataset", "snapshotKey": "domain-security-audit-quickstart", "concurrency": 2 }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/domain-trust-monitor").call(run_input={
  "domains": [
    "example.com",
    "github.com"
  ],
  "expiryWarningDays": 30,
  "delivery": "dataset",
  "snapshotKey": "domain-security-audit-quickstart",
  "concurrency": 2
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/domain-trust-monitor').call({
  "domains": [
    "example.com",
    "github.com"
  ],
  "expiryWarningDays": 30,
  "delivery": "dataset",
  "snapshotKey": "domain-security-audit-quickstart",
  "concurrency": 2
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

• Keep concurrency ≤ 5 when auditing third-party domains to avoid WAF or rate-limit triggers.
• Use dataset delivery for the first validation pass; webhook delivery works best once your remediation routing is stable.
• Enable checkDkim and custom selectors only when email-auth posture matters for the domain set.
• Use Apify API run-sync-get-dataset-items or the Apify OUTPUT summary when you want fast JSON for CI, tickets, or internal queues.
• Start with a small domain set, review the alert severity mix, then scale up.

FAQ

What checks are included in the starter run?

The starter path covers SSL expiry, domain expiry, DMARC/SPF posture, optional DKIM probing, redirect-aware header checks, and a remediation summary.

What happens when a domain is unreachable or blocked?

The actor records an error or warning row for that domain and keeps processing the rest of the portfolio.

Can I schedule recurring audits?

Yes — use Apify Schedules for daily, weekly, or renewal-window audits and add webhook delivery when you want the remediation queue pushed elsewhere.

Do I need external API keys?

No for the base audit. Optional add-ons such as Web Risk can enrich the run, but the core SSL, DNS, and header checks use public data.

Can I route only the remediation queue to another tool?

Yes. Webhook delivery includes the executive summary plus flattened alert rows, which works well with Slack, Make, n8n, ticketing tools, or your own endpoint.

Related Actors

Use this actor first when trust, renewal, or email-auth risk is the urgent problem. Add the next actor when you need the customer-visible layer around the same domain:

• Shopify Store Intelligence API — Add when the audited domain is a Shopify storefront and you also need catalog, collection, and merch changes on the public site.
• Website Content Extractor — Add when security, pricing, help, or policy pages need clean text for evidence capture, procurement review, or internal search.
• Contact Details Extractor — Add when you need public support, security, or sales contacts from the same domain so remediation can be routed faster.
• App Review Intelligence API | App Store + Google Play Summary — Add when the same brand also has mobile apps and you want customer complaints beside SSL, DMARC, and header findings.

Pricing & Cost Control

Apify Store pricing is usage-based, so total cost mainly follows how many domains you audit and whether you expand into recurring webhook or reputation-assisted workflows. Check the Store pricing card for the current per-event rates.

• Start with Starter Quickstart on 2–5 domains in dataset mode while you validate the remediation summary and alert severity mix.
• Keep concurrency low on third-party domains, and enable optional add-ons such as Web Risk only when the extra signal is worth the spend.
• Scale to Recurring Portfolio Watch, then Webhook Remediation Queue once routing rules are stable.
• Use dryRun: true before scheduled runs or webhook delivery.

⭐ Was this helpful?

If this actor saved you time, please leave a ★ rating on Apify Store. It takes 10 seconds, helps other developers discover it, and keeps updates free.

Bug report or feature request? Open an issue on the Issues tab of this actor.